Baseline settings

Question

Hi,

I am looking into Security Baselines and comparing this with other settings that we can configure under Configuration Profiles and Compliance Policies. As I understand we should implement Baselines, and change any settings so it will fit our environment. And if things are missing, you configure this separately as Configuration Profiles for example
But I am struggling to see what the best way is to implement settings so in regard to that I have some questions.

1. BitLocker, I can see there are two settings under Baseline and the same settings under Endpoint Security>Disk Encryption. The baseline say “yes” to block write access to removable devices. If I set “Not configured” within a policy under Endpoint Security>Disk Encryption is it the most strict setting that will apply ?
2. Anyone out there who is using baseline and have had to change many settings because users have gotten issues. To me it seems like many of the settings can cause “issues” for the users, but there are so many settings and many applications around so its very difficult to find out before you activate them. What is your experience, any comments to what you have changed from a live production?
3. Under Baseline>Device Lock>Require Password is yes, is this the same setting as under Compliance policy>System security>Require a password to unlock mobile devices ?
4. If I look at Firewall settings, I can either use the Baseline for some settings, or I could go to Endpoint Security>Firewall and configure it there, and if that was not it, I can also configure it under Configuration Profiles>Endpoint Protection>Microsoft Defender Firewall. And off course these have different settings, take for example IPsec exemptions… this one I only find under the Configuration Profiles. I must say this can be very confusing.

I have also heard that Baselines does not work well with “other stuff” but I am not sure what they have meant by that.

Thanks for any comments on this.

Answer 1

@andreas bright , As this is the forum of Intune, I will provide my answers to your questions from Intune side for your reference:
Q1: BitLocker, I can see there are two settings under Baseline and the same settings under Endpoint Security>Disk Encryption. The baseline say “yes” to block write access to removable devices. If I set “Not configured” within a policy under Endpoint Security>Disk Encryption is it the most strict setting that will apply ?
A1: For the BitLocker policy for removable drive settings in Intune, we can see it in the following link. If we set “Block write access to removable data-drives not protected by BitLocker” to yes, it will block access to removable drives unless they were encrypted on a computer owned by your organization.
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-disk-encryption-profile-settings#bitlocker---removable-drive-settings

Q2: Anyone out there who is using baseline and have had to change many settings because users have gotten issues. To me it seems like many of the settings can cause “issues” for the users, but there are so many settings and many applications around so its very difficult to find out before you activate them. What is your experience, any comments to what you have changed from a live production?
A2: To avoid the impact of the issue when we configure Endpoint security policy, we suggest to firstly create a group with some test devices. After it is applied successfully without any issue, we can then assign the policy to other devices step by step.

Q3: Under Baseline>Device Lock>Require Password is yes, is this the same setting as under Compliance policy>System security>Require a password to unlock mobile devices ?
A3: Based as I know, the setting in Intune will force user to enter a password before they can access their mobile devices.
For the setting under Configuration manager, did you mean the setting “Require password settings on devices” in the following link. If so, it applied to Windows 10 and it will requires a password on supported devices.
https://learn.microsoft.com/en-us/mem/configmgr/compliance/deploy-use/create-configuration-items-for-windows-10-devices-managed-with-the-client#BKMK_Ref

Q4: If I look at Firewall settings, I can either use the Baseline for some settings, or I could go to Endpoint Security>Firewall and configure it there, and if that was not it, I can also configure it under Configuration Profiles>Endpoint Protection>Microsoft Defender Firewall. And off course these have different settings, take for example IPsec exemptions… this one I only find under the Configuration Profiles. I must say this can be very confusing.
A4: Based on my research, I find we can configure the same firewall settings in Endpoint security by using Endpoint Protection profiles for device configuration, the device configuration profiles include additional categories of settings. These additional settings are unrelated to firewalls and can complicate the task of configuring only firewall settings for your environment. Here is an official article for the reference:
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-firewall-policy

If you feel confused when using it, we suggest to feedback it to Intune user voice to let Intune Product team to see this:
https://microsoftintune.uservoice.com/forums/291681-ideas

Hope it can help.

---

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

@andreas bright , Based on my checking the settings under "Windows 10 MDM baseline settings" and "Microsoft defender ATP baseline settings", it seems the setting "Turn on credential guard" deploy with the same CSP. Here are the articles for the reference:
https://learn.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-mdm-all?pivots=mdm-sept-2020
https://learn.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-defender-atp?pivots=atp-sept-2020

Given the situation, we suggest to configure only one setting to the same device to avoid conflict. In general, when we use multiple security baselines, review the settings in each one to identify when your different baseline configurations introduce conflicting values for the same setting. Because you can deploy security baselines that are designed for different intents, and deploy multiple instances of the same baseline that includes customized settings, you might create configuration conflicts for devices that must be investigated and resolved. We can see more details in the following link:
https://learn.microsoft.com/en-us/mem/intune/protect/security-baselines#avoid-conflicts

Hope it can help.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Hi,

Thanks for reply @Crystal-MSFT
I have one more question.

Microsoft has baseline for "Windows 10" and for "ATP"
In both these they have configured Device Guard>Turn on credentials = Enabled with UEFI lock
If we implement both these baselines is there a problem that both of these are configured, or should one of them say "not configured" ? I guess it will only apply the policy one more time ?

Comments ?